On October 16, the Department of Homeland Security announced that it would require federal agencies to implement DMARC and STARTTLS on their email-sending domains within 90 days, and HTTPS on their websites within 120 days.While the directive only applies to the U.S. federal executive branch, it will have far wider effects. In the past month and a half, I have been hearing from executives in finance, health care, and other fields that they, too, are looking at securing their email systems the same way the federal government is. (See here for the text of the DHS directive BOD 18-01 about HTTPS, DMARC, and STARTTLS.)In short, DHS has created a new de facto best practice for doing business on the Internet, just as Google did a few years ago with HTTPS.Why email security matters nowThese two email standards\u2014DMARC for authenticating the senders of email messages and STARTTLS for encrypting the messages as they are transmitted between mail servers\u2014are aimed at closing fundamental security gaps in email that have existed since it was first created four decades ago.This directive comes at a good time. The Internet is facing a historic explosion of phishing attacks and email impersonation exploits and many companies have seen a spike in the number of phishing emails.Phishing is the #1 vector through which all cyberattacks begin, by far: It\u2019s the starting point for over 90 percent of all breaches. The majority of phish utilize impersonation: The senders put a fake email address in the From field of their phish emails, making them look like legitimate emails from a known sender, often the CEO or CFO of the recipient\u2019s company or a trusted partner.These kinds of attacks cost real money. To pick just one subcategory of email fraud, business email compromise (BEC) has cost American businesses $5.3 billion since 2013, according to the Federal Bureau of Investigation.Just recently, Mimecast released the results of research showing that email impersonation attacks increased by 50 percent in the most recent quarter.The threat is real, and it\u2019s growing.How HTTPS became ubiquitousStandards, like new technologies, have to cross a \u201cchasm\u201d from early adopters to widespread adoption, to use Geoffrey Moore\u2019s influential terminology.Proposals that go through official standards-making bodies don\u2019t always become universally adopted. And sometimes de facto standards come about without going through an official vetting process.Often, what it takes to create a true standard is for a major player\u2014like a government agency or a big company\u2014to embrace it. Support from a big enough player can push a across the \u201cchasm,\u201d transforming it from being merely a good idea into something that everyone takes for granted.Ever wonder why websites suddenly started making the shift to HTTPS a few years ago? It\u2019s not because of the reassuring \u201clock\u201d icon that browsers display next to the URL bar, indicating that you\u2019ve got a secure session with that web server. Sure, that\u2019s a nice feature, and e-commerce sites have been using it to ensure security on their transaction pages for well over a decade.But what made HTTPS ubiquitous for nearly all websites was when Google embraced it on 2014, first by recommending that everyone use it\u2014and then, crucially, by using HTTPS as a ranking signal. In short, Google made it so that you\u2019d appear higher in search results if your site was using HTTPS.It didn\u2019t take long before every chief marketing officer was beating down the doors of their IT departments, demanding that they make their websites HTTPS by default.The growth in HTTPS continues to this day. In 2016, 40 percent of websites used HTTPS, and it\u2019s nearing 70 percent today, according to certificate authority Let\u2019s Encrypt.DHS raised the bar for emailA similar thing is about to happen with email security through DMARC and STARTTLS.You might think that this is too little, too late for a communications medium that\u2019s on its way out.Guess again.Yes, Slack has taken Silicon Valley by storm for rapid team-based collaboration. And Snapchat, Instagram, and WhatsApp rule the world of impromptu, ephemeral consumer communication.Still, email continues to thrive and even grow. There are now 6.3 billion email inboxes in use around the world, used by 3.7 billion people, or half the planet\u2019s population. Worldwide, those people send almost 270 billion email messages every single day.That\u2019s because email serves a vital function: Enabling universal, global, two-way communication between companies and their customers.Email\u2019s biggest problem right now is the surge in phishing I described above. But the majority of those phishing attacks could be eliminated overnight by implementing email authentication through DMARC, which completely prevents email impersonation.Adding STARTTLS will increase the security of this vital communications channel and help protect it against not only impersonation, but also eavesdropping and other forms of compromise.That\u2019s why the DHS order comes at just the right time to push email security over the chasm. There\u2019s a pressing need for authentication, and one of the largest governments in the world is now moving to implement it.It won\u2019t be long before DMARC and STARTTLS are just as ubiquitous as HTTPS is today.